IBM Cloud Docs
Single sign-on (SSO)

Single sign-on (SSO)

With Single sign-on (SSO) for Cloud Directory, you can provide a smooth authentication experience between multiple web apps. If SSO is turned on when a user initially signs in, they are not required to reenter their credentials the next time they sign-in. Instead, they are automatically signed in to any of your apps that are protected by the same App ID instance.

App ID provides SSO for Cloud Directory users. If you use a social or federated SAML identity provider SSO is managed by that provider and App ID respects it.

How it works

Check out the following diagram to see SSO in action.

SSO diagram
Figure 1. Cloud Directory SSO flow

  1. A Cloud Directory user signs in to your app for the first time.
  2. They are asked to authenticate by providing either a username or email and password.
  3. If the credentials are valid, a user is signed in to your app. At the same time, App ID, creates a session and sets a cookie on the user's browser.
  4. If a user attempts to sign in to one of your other applications, App ID detects the session cookie and automatically signs the user into your app. App ID session cookies are instance-specific and are signed by the instance's unique private key.

Currently, Cloud Directory SSO is configured to work when Cloud Directory is the only enabled identity provider. If your instance of App ID is configured to use multiple identity providers, enabling SSO has no effect on the sign-in flow. Users are prompted to enter their Cloud Directory credentials or choose one of the other providers at every sign-in.

Configuring SSO

You can configure single sign-on by using the App ID dashboard or by using the APIs.

With the GUI

You can configure the SSO through the GUI.

  1. Navigate to the Cloud Directory > Single Sign-on tab of the App ID dashboard.

  2. Toggle Enable single sign-on to Enabled.

  3. Set the amount of time that a user can be inactive before the SSO session expires. When it expires, they must sign in again. The time is specified in minutes and the maximum allowed time for inactivity is 10,080 minutes (7 days). The default time is 1440 minutes, which is the equivalent of 1 day.

  4. Add your redirect URIs to the Logout redirect URI box and click the + sign. Be sure to register only applications that you trust. By registering the URI, you're authorizing App ID to include it in the authorization workflow.

  5. Click Save.

With the API

By using the SSO Configuration Admin API to define three settings, you can turn on the feature.

An example call:

{
  "isActive": true,
  "inactivityTimeoutSeconds": 86400,
  "logoutRedirectUris": [
    "http://my-first-app.com/after_logout",
    "http://my-second-app.com/after_logout"
  ]
}
Table 1. SSO configuration settings
Setting Definition
isActive To enable SSO, set this value to true. The default setting is false.
inactivityTimeoutSeconds The longest length of time that can pass without any user activity before the user is required to reenter their credentials. This value is specified in seconds and can be a maximum of 604800 seconds (7 days). The default setting is 86400 seconds (1 day).
logoutRedirectUris A comma-separated list of allowed URIs that App ID can redirect your users to after they sign out.

Configuring logout

With App ID, you can end a user's SSO session for their current browser. If the API endpoint is accessed by the user's browser, their session is terminated and the user is prompted to enter their credentials on their next sign-in attempt in that browser - for any of your apps.

When one of the flows that are related to changing, resetting, or renewing a password is started, the sessions across all clients are automatically terminated for the user.

By using the API

To sign out a user, redirect their browser by using your information to complete the following API call.

https://<region>.appid.cloud.ibm.com/oauth/v4/<tenantID>/cloud_directory/sso/logout?redirect_uri=<redirectURI>&client_id=<clientID>
Table 2. SSO sign-out API call variables
Variable Value
region The region in which your instance of App ID is provisioned. Learn more about the available regions.
tenantID The unique identifier for your instance of App ID. You can find this value in the Service Credentials tab of the App ID dashboard. If you do not have a set of service credentials, you can create one and take the value from there.
redirectURI A URI that you specified in your SSO configuration through the App ID dashboard. For security reasons, if you do not specify a value redirection cannot occur and an error is displayed.
clientID Your application's client ID.

Even if the SSO session is ended, a user with a valid access token that is stored in their session might not be required to enter their credentials again until their token expires. By default the token expires after 1 hour.

By using the Node.JS server SDK

You can also use the App ID Node.js server SDK to automatically handle the redirection for you.

  1. Set logoutSSO as a method. For example:

    let webAppStrategy = new WebAppStrategy(.....);
....
webAppStrategy.logoutSSO();

  2. Configure logout.

    app.get('/logoutSSO', (req, res) => {
   res.clearCookie("refreshToken");
   webAppStrategy.logoutSSO(req,res, { "redirect_uri": "https://my-app.com/after_logout" });
   });

Ending all sessions for a user

As an administrator, you can end all SSO sessions for any user by using the App ID admin APIs. The APIs are protected by a Cloud IAM token.

Example API request:

POST https://<region>.appid.cloud.ibm.com/management/v4/<tenantID>/cloud_directory/Users/<userID>/sso/logout
Headers:
Authorization: Bearer <IAMToken>
Content-Type: application/json
Table 3. Variables that are needed to end all SSO sessions for a user
Variable Value
Content-Type The content type of your request. The accepted value is application/json.
region The region in which your instance of App ID is provisioned. Learn more about the available regions.
tenantID The unique identifier for your instance of App ID. You can find this value in the Service Credentials tab of the App ID dashboard. If you do not have a set of service credentials, you can create one and take the value from there.
userID The unique identifier for a Cloud Directory user. You can obtain the ID by using the Cloud Directory Users APIs, or by viewing the user's identity token.

When you invoke this API, all the specified user's SSO sessions are invalidated. This means that the next time that the user attempts to sign in to any of your apps, from any device or browser, they are required to reenter their credentials.